Major technology companies are becoming faster at fixing security vulnerabilities, incentivized to close gaps for customers.
Vendors took an average of 52 days to fix security vulnerabilities in 2021, down from 80 days three years ago, data from Google's Project Zero show.
Between 2019 and 2021, Apple fixed 87% of its bugs in 90 days; Microsoft fixed 76% in the same period.
"The tech community is getting faster at fixing discovered security issues for a variety of reasons, including advancing DevOps and CI/CD technological advancements, adopting bug bounty programs into the mainstream, embracing open source platforms' security issue tracking, and Project Zero making an impact," said Eylam Milner, director, Argon Technology with Aqua Security.
There is a caveat to this progress. The largest tech companies handle their bug bounty programs differently than smaller or lesser-known companies.
"Companies such as Microsoft, Facebook, Oracle, Mozilla, and Linux are very different in the way they operate, let alone handle security issues, than most software vendors and open source projects," Milner said.
While the average time to fix a vulnerability has gone down, that could be a bit misleading based on the companies involved. On the other hand, trends like this often have a trickle-down effect that is making a positive impact across the tech industry at large.
"When a large tech company (e.g., Facebook) is forced to fix a security issue in 90 days, this puts the company in a position to innovate with in-house organizational structure, engineering culture, and even new technology solutions," said Milner.
The engineering community at large often mimics big tech innovators, moving forward the way the entire community handles security issue fixing.
Tech companies can only do so much
While the tech industry is getting better at remediating vulnerabilities in a more timely manner, the need to fix problems is not trickling down to the organizations using the software. If a customer lacks urgency in deploying a patch, a flaw can linger.
Even though members of the security community evangelize the importance of defined security patching processes and procedures as part of an overall security policy, there is still a knowledge gap, according to Matt Carpenter, senior principal security researcher with GRIMM.
"One of the core components of a good security policy is knowing what technologies/assets your organization maintains, and having regular patching intervals, processes and written procedures," Carpenter said.
Although companies realize the value of automated updates and regular automated checks and reports for out-of-date machines, less-security mature companies fall behind.
How tech can improve efforts to fix bugs and encourage patching
No matter how good tech companies have become at assessing vulnerabilities, there is always room for improvement. Adding automated application security solutions is key for diving deeper into vulnerability assessment and remediation.
"It's impossible for software consumers and vendors to handle a large amount of security risk in large codebases without an automated process for detection, remediation and prevention," said Milner.
The next step is to teach organizations to partner with trusted security companies in a long-term strategy, which helps reduce both risk and cost in the long term.
"For example, each organization should have a Security Architecture Review or similarly Threat And Risk Assessment (TARA) from a trusted and knowledgeable external security company," said Carpenter.
While informative, for assessments to add the most value, organizations should put together an internal security team with a top executive onboard, such as a CSO, CIO or CTO, to act as a liaison with the external assessment group.
This ensures assessment findings are communicated throughout the company and the necessary remediation steps can happen.
It's important to have clear strategies for both addressing general asset management, according to Daniel Trauner, senior director of security with Axonius.
"Without an asset management strategy, you might not even be aware that there's a patch to apply," Trauner said.
And if patches aren't applied in a timely manner, the quick remediation time of vulnerability remediation by tech companies won't do much good to prevent attacks